The rule "Windows Attempt To Stop Security Service" is designed to detect instances where security-related services on Windows endpoints are being targeted for shutdown. This is a significant indicator of potentially malicious activity. The detection utilizes data sourced from various Endpoint Detection and Response (EDR) agents like Sysmon and CrowdStrike, monitoring specific commands such as "sc.exe" and "net.exe" with the "stop" parameter, as well as the PowerShell "Stop-Service" cmdlet. Identifying such activities is crucial since the termination of security services may expose the organization to unauthorized access, data exfiltration, or allow further malicious actions like malware deployment or privilege escalations. The detection mechanism is implemented through a standardized Splunk query framework, analyzing process creation logs and employing the Splunk CIM for field normalization. Lack of known false positives enhances the reliability of this rule, making it a critical component for proactive endpoint security management.